Another One Billion Yahoo Accounts Were Exposed In 2013 Breach

Earlier this September, Yahoo announced a record-breaking data breach that exposed 500 million accounts. The company has announced yet another data breach that was twice as large; one billion user accounts were affected.

First Reported Data Breach

According to Yahoo, the first data breach occurred in 2014, before it started applying some security protections in 2015. Half a billion accounts were exposed, including information such as names, email addresses, telephone numbers, dates of birth, and hashed passwords, as well as encrypted or unencrypted security questions and answers.

The company said at the time that the attacker was no longer in its networks and that users’ accounts should be safe.

New Data Breach

According to Yahoo’s new security team, the newly discovered data breach happened before the other one, in August 2013. An unauthorized party, which Yahoo couldn’t identify, gained access to Yahoo’s servers and one billion user accounts.

As with the other data breach, exposed information included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Alleged NSA Connections

Earlier this October, not long after the first data breach was reported, there were some other reports backed by multiple Yahoo sources that the company was not only scanning everyone’s emails for the U.S. government, but also that it allowed the NSA to install kernel-level malware. This would’ve given the NSA free reign on Yahoo’s servers, and it would’ve allowed the agency to see any email, not just those that were the target of an investigation.

Although this backdoor was seemingly installed in 2015, as we keep on seeing, government-mandated backdoors always end up being used by other malicious parties, eventually. That could mean that the 2013 and 2014 Yahoo data breaches may not be the last we’re going to see from the copmany, especially when it still doesn’t seem to take security too seriously even today.

Verizon Acquisition In Doubt

Verizon has been in talks with Yahoo over the possibility of an acquisition since before the data breaches were announced. Yahoo knew at least about the 2014 data breach when the negotiations with Verizon started, but it doesn’t seem to have told Verizon about it. Verizon has since asked Yahoo for a $1 billion discount on the $4.8 billion deal it offered.

However, after reports of Yahoo giving NSA complete access to its servers (which may have tainted its reputation and the trust users have in the company) and the recently announced data breach, Verizon may even consider dropping the deal altogether. At the very least, if we're to go by the numbers ($1 billion discount for 500 million user accounts data breach), and if Verizon wants to play its hand aggressively, it may now ask for another $2 billion discount, lowering the deal to less than half of what was initially proposed.

If that does happen, then it would show other companies that giving intelligence agencies secret access to all user data, which is likely unconstitutional and also shows a careless attitude towards security, could one day cost those companies billions of dollars, either through lost deals or lost reputation.

Yahoo Users: What To Do Now

If you haven’t already completely lost faith in Yahoo’s handling of the security of your emails and its willingness to protect those emails from the eyes of all third parties, then you may want to follow Yahoo’s instructions from below to protect your account:

Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo accountReview all of your accounts for suspicious activityBe cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal informationAvoid clicking on links or downloading attachments from suspicious emailsConsider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

Choosing End-To-End Encryption

You may want to consider an end-to-end encrypted email solution that can protect your emails even when there’s a data breach or when the email service provider installs backdoors for various governments. With end-to-end encryption, email contents are encrypted on the user’s devices before they ever reach the company’s servers.

Yahoo’s previous security team had considered enabling end-to-end encryption for its users, too, through a browser extension initially developed by Google. However, by the time the project was ready, the NSA had already installed its backdoor, and the end-to-end encryption project was eventually canceled by Yahoo leadership.

Google hasn’t been working on the project for the past eight months either, or at least not publicly. However, end-to-end encrypted services such as ProtonMail or Tutanota, as well as other OpenPGP-based solutions, are still an alternative to email services that don't offer end-to-end encryption.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • problematiq
    If my company was popped, and my database was stolen with MD5 hashed passwords, I would probably fake my own death and live my life on some secluded island.
  • shrapnel_indie

    Yahoo is trying to put themselves out of business. If you did something about this after the initial announcement of the 2014 breech, you may have already done enough, but it doesn't hurt to play it safe.

    As to the given advice: uh, DUH! If everyone followed it everyday, phishing attacks wouldn't be as effective as they currently are.
  • problematiq
    I would like to see an article done about comparing password managers, as well as a" how to guide" for them. I use one and it rocks, but more people need to learn not to use the same password across multiple sites.
  • DookieDraws
    I truly wonder if there was really a hack, or if Yahoo! secretly sold user information to some unknown entity? Regardless, I have since changed my password from 1234567890, to 0987654321. So if any of you out there are using this same password of mine, maybe add a letter in there to make it different. Just a heads up! Y'all stay secure!
  • cats_Paw
    I wonder how many accounts did NOT get breached.
  • whitecrowro
    just deleted my account. yahoo account. only bad news lately.
  • Shlomo_1
    My yahoo account has had suspicious activity since 2008. And yahoo news is the fake news
  • laststop311
    i use gmail. Only for convenience. It integrates well with all of googles other services such as android, youtube etc. It just makes accessing email the easiest and least unobtrusive. Basically turns emails into texts on ur phone automatically without any real work other than typing ur google account in the phone when u first power it up. Every stupid naive tech user can just pick up gmail and poof it works. It may not be encrypted but I have secure trusted pgp keys with the people i need to have them from so even if the servers r hacked all they will see from my sensitive messages are scrambled up random letters and numbers.